Under attack, wordpress hacked
Good day,
I have a hole to plug but I'm not sure where to start. I get a ticket of malicious content. When I go to /var/www/somewebsite/ I see there is an extra dir called vim and a whole bunch of new files and dirs under the /var/www/somewebsite/html dir. My current solution is to delete everything in /var/www/somewebsite/ and to run clamav when I booted into rescue mode.
After clamav the following files were quarantined:
-rw-r--r-- 1 www-data www-data 60230 Dec 6 07:22 2index.php.001
-rw-r--r-- 1 www-data www-data 88790 Dec 13 09:06 wp-plugins.php.001.001
-rw-r--r-- 1 www-data www-data 88790 Dec 14 06:04 wp-plugins.php.002.001
-rw-r--r-- 1 www-data www-data 88790 Dec 14 09:04 wp-plugins.php.003
Today I noticed that in the /var/www/somewebsite/html/ there were two files after I deleted everything in that dir - index.php and .htaccess When I delete them (no errors when deleting), they just pop back immediately.
This is the second site that was attacked. It seems that I have a weakness in my setup? Any advice, please?
(I've config ssh so that only my user can log in using public key)
2 Replies
✓ Best Answer
My suggestion would be to:
Save all your content… both text and graphics using the WP Export tool that is built-in. I'd also save off the Uploads directory in wp-content.
Install WP in a (new) subdirectory
Install the WPs Hide Login and Wordfence plugins.
Change permissions to what WP is recommending (especially for wp-config.php (we use 644).
Change the .htaccess file to redirect to the new subdirectory.
I would assume that they were able to breach your site through the Wordpress admin login page.
Possibly due to a weak or compromised password, Wordpress wasn’t updated recently, a plug-in with a known vulnerability that wasn’t updated, or could possibly be a malicious plug-in since they’re not code reviewed for safety or security by Wordpress.
Since the files keep coming back, that means there is still some malware in your Wordpress site.